Vendors Rush to Issue Security Updates for Meltdown, Spectre Flaws

Apple says all Mac and iOS systems are affected by new side-channel attack vulnerabilities.

[UPDATED 7:20pm ET with Apple's statement]

Wondering what to do in the wake of the revelation of newly discovered critical design flaws in most modern microprocessors? Security experts say the best bet is to apply patches for the side-channel attack vulnerabilities, which were disclosed this week.

The vulnerabilities impact a wide number of products from numerous vendors, though not always with the same level of severity. Also impacted are servers, and in many cases the underlying infrastructure hosting cloud services. Vendors and security analysts have urged all organizations and customers to apply patches, OS updates, and other workarounds as soon as they become available, regardless of the severity of impact.

"Generally speaking, the patches to fix this move the balance back towards security," said Paul Ducklin, senior security advisor at Sophos.

The catch, however is that some of the fixes could reduce performance a bit, he said. "Sometimes, the price of security progress is a modicum of inconvenience. In this case, the updates might slow you down a tiny bit, but think of it as being for the greater good of all," he noted.

Here's a rundown of vendors that have released, or are working on, patches for the vulnerabilities, aka Meltdown and Spectre.

Intel

Intel has acknowledged the issue but said it doesn't believe the exploits have the potential to corrupt, modify, or delete data. The processor vendor claimed that many computing devices from other vendors are susceptible to the same so-called speculative execution side-channel attacks.

As of Jan 4, Intel has developed or is developing updates for all Intel-based PCs and servers to address problems caused by the Spectre and Meltdown exploits. The chipmaker said it hopes to have updates for 90% of its processor products introduced over the last five years, by the end of next week. The company has urged administrators and end users to check with their OS and hardware vendors and apply the updates as soon as they become available.

According to Google, the issue has already been mitigated in many of its affected products, or wasn't a vulnerability at all in the first place. Among its affected products are the following:

Android

Google's monthly security update for January 2018 contains fixes for the new exploits. Specifically, the company's Android 2018-01-05 Security Patch Level includes mitigations that limit attacks on all Intel and known variants of ARM processors according to the company.

Google wants users of all Google-supported Android devices such as the Nexus 5X, Nexus 6P, Pixel C, Pixel/XL, and Pixel 2/XL to accept and install the latest security update on their devices.

Chrome

Users and administrators of current stable versions of Chrome need to enable the browser's Site Isolation feature to protect against the threat. The feature isolates websites on different browser tabs into separate address spaces to minimize fallout from security incidents.

Information on Site Isolation and how to enable it are available here. Enterprises that want to set Site Isolation by policy on Chrome desktops can learn how to do that here.

Microsoft has released several updates to address problems caused by the vulnerabilities. Customers and organizations that have enabled automatic Windows security updates will get the fixes with Microsoft's January 2018 patch release. Microsoft said users who have not enabled automatic updates should manually install the fixes as soon as possible. According to the company, in order for customers to be fully protected against speculative execution side-channel attacks, they may also need to install hardware and firmware updates from device vendors and in some cases from their antivirus vendors as well. Affected products include multiple versions of Windows, Windows Server, Microsoft Edge, and Internet Explorer.

Amazon said that all but a single-digit percentage of its underlying cloud infrastructure systems are already protected against the three vulnerabilities.

Updates for the remaining systems will be available soon along with associated guidance on how to implement them. Updates are available for Amazon Linux and those for EC2 Windows will be made available as Microsoft patches become available.

Amazon's updates are designed to fix underlying infrastructure issues. "In order to be fully protected against these issues, customers must also patch their instance operating systems," the vendor said.

Apple was one of the last vendors to announce its patching plans. Late today, Apple said in a post that all Mac systems and iOS devices are affected by the vulnerabilities, but that it knows of no exploits "impacting customers at this time."

The vendor said it released mitigations for Meltdown in iOS 11.2, MacOS 10.13.2, and tvOS 11.2 to help defend against Meltdown, and that Apple Watch is not impacted by that vuln. As for Safari, Apple will issue an update with mitigations against Spectre in "the coming days."

"We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS," Apple said in its statement here.

Mozilla

As of Jan 4, Mozilla said it was working with security researchers to understand the full impact of the newly announced vulnerabilities and to find fixes for them. In the meantime, the browser maker has implemented a short-term mitigation by disabling or, in some cases reducing the precision of, certain timers in its Firefox browser. The browser maker said it was taking the measure "since [the] new class of attacks involves measuring precise time intervals."

"In the longer term, we have started experimenting with techniques to remove the information leak closer to the source, instead of just hiding the leak by disabling timers," Mozilla said on its blog.

A January 3 CMU CERT alert identified AMD's products as being impacted by the newly discovered vulnerabilities. However, the chipmaker downplayed the severity of the threat and said its investigation showed little impact on AMD products. In an update, AMD said the Bounds check bypass vulnerability (CVE-2017-5753) and the Branch Target Injection Vulnerability (CVE-2017-5715) had only a negligible to near-zero performance impact on AMD's processors. Similarly, the Rogue Data Cache Load flaw (CVE-2017-5754) had zero-impact due to "AMD architecture differences," the company has noted.

AMD has not released any security fixes as of Jan. 4, and has said that any impact on its processors should be resolved via third party OS and software updates.

Most ARM processors are not impacted by the side-channel vulnerabilities, according to the mobile chip designed. It has released a complete list of "the small subset" of all ARM-designed processors that are susceptible. Among the 10 processors impacted by at least one of the three side-channel vulnerabilities are the Cortex R7 and R8, Cortex A8, A9 and A15 and Cortex A73 and A75.

ARM has listed various actions Linux users can take to mitigate the threat in each of the affected processors. It has instructed users running Android to contact Google.

Red Hat has released a list of all affected versions of its Linux software and said it considers the newly announced vulnerabilities as having an "Important" security impact on its products. "While Red Hat's Linux Containers are not directly impacted by kernel issues, their security relies upon the integrity of the host kernel environment. Red Hat recommends that you use the most recent versions of your container images," it said.

The company said it is actively developing scripts to help users understand the impact of the vulnerabilities on their specific systems. It has released security patches for many versions of its Enterprise Linux and is working on updates for the remaining ones. It has urged users to apply the updates as soon as they become available because no other mitigations are available for the vulnerabilities.

SUSE has released patches for most of its recent SUSE Linux Enterprise versions. Patches for the remaining versions will become available shortly, according to the company. SUSE has rated the three vulnerabilities as being of "critical" severity to its affected products and has set up a site that gives users continuous updates on patches as they become available.

VMWare has released updates for its VMware ESXi, Workstation, and Fusion technologies. The company has rated the threat presented by the three vulnerabilities as being of "important" severity. "Result of exploitation may allow for information disclosure from one Virtual Machine to another Virtual Machine that is running on the same host," the company said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.

Some Huawei smart phones with the versions before Berlin-L21HNC185B381; the versions before Prague-AL00AC00B223; the versions before Prague-AL00BC00B223; the versions before Prague-AL00CC00B223; the versions before Prague-L31C432B208; the versions before Prague-TL00AC01B223; the versions before Prag...

Huawei 1288H V5 and 288H V5 with software of V100R005C00 have a JSON injection vulnerability. An authenticated, remote attacker can launch a JSON injection to modify the password of administrator. Due to insufficient verification of the input, this could be exploited to obtain the management privile...